Zipper icon indicating copy to clipboard operation
Zipper copied to clipboard

Published 20 hours ago verified publisher icon Chumper

ZIP Slip vulnerability

Open kukuxumushi opened this issue 6 years ago • 3 comments

Description

Attackers can create Zip archives that use path traversal to overwrite important files on affected systems, destroying them or replacing them with malicious alternatives or upload a new one with a malicious code.

How to reproduce

  1. Create file with some code, for example:
<?php
phpinfo();
?>
  1. Name it somehow like this "xxxphpinfo.php".
  2. Create a zip archive.
  3. Open zip archive in hex editor. Change xxx to ../ in two places: in the top of the hex and in the bottom.
  4. Pass modified archive to the Ne-Lexa/php-zip extraction function. For example:
Zipper::make('phpinfo.zip')->folder('')->extractTo('uploads/');

I don't have folders in archive, but with and without it works the same. 6) Navigate to ../uploads and execute phpinfo.php.

Possible Solution

Use php zlib or somehow escape ../ characters.

Additional context

More about vulnerability: https://snyk.io/research/zip-slip-vulnerability Archive example: php2.zip

kukuxumushi avatar Jul 26 '19 15:07 kukuxumushi

As far as I can see this is fixed with PHP 5.7. So users should upgrade their PHP version. As we are only relying on the ZIP module of PHP we cannot fix it for them.

Chumper avatar Jul 26 '19 16:07 Chumper

I have php 7.3.7. image

kukuxumushi avatar Jul 26 '19 16:07 kukuxumushi

I see. I haven't worked with this code in a long time, but I see that we get the file content and put it into the file system on our own here: https://github.com/Chumper/Zipper/blob/master/src/Chumper/Zipper/Zipper.php#L623

We could use ltrim($tmpPath , "/."); to be safe.

Chumper avatar Jul 26 '19 22:07 Chumper